chromium/src/third_party/blink/web_tests/http/tests/security/isolatedWorld/bypass-main-world-csp.html - manifest_repos/chromium_src - Git at Google

 <!DOCTYPE html>
 <html>
 <head>
 <meta http-equiv="Content-Security-Policy" content="img-src 'none'">
 <script>
     if (window.testRunner) {
         testRunner.dumpAsText();
         testRunner.waitUntilDone();
     }

     tests = 4;
     window.addEventListener("message", function(message) {
         tests -= 1;
         test();
     }, false);

     function setup() {
         // This is needed because isolated worlds are not reset between test
         // runs and a previous test's CSP may interfere with this test. See
         // https://crbug.com/415845.
         testRunner.setIsolatedWorldInfo(1, null, null);
         var img = document.getElementById('testimg');
         img.onload = function () {
             alert('LOADED');
             window.postMessage("next", "*");
         };
         img.onerror = function () {
             alert('BLOCKED');
             window.postMessage("next", "*");
         };
         test();
     }

     function test() {
         function setImgSrc(num) {
             var img = document.getElementById('testimg');
             img.src = "../resources/abe.png?" + num;
         }

         alert("Running test #" + tests + "\n");
         switch (tests) {
             case 4:
                 alert("Test in main world.");
                 setImgSrc(4);
                 break;
             case 3:
                 alert("Test in isolated world without a CSP.");
                 testRunner.evaluateScriptInIsolatedWorld(1, String(eval("setImgSrc")) + "\nsetImgSrc(3);");
                 break;
             case 2:
                 alert("Test in isolated world with lax CSP");
                 testRunner.setIsolatedWorldInfo(1, 'chrome-extension://123', 'img-src *');
                 testRunner.evaluateScriptInIsolatedWorld(1, String(eval("setImgSrc")) + "\nsetImgSrc(2);");
                 break;
             case 1:
                 alert("Test in isolated world with restrictive CSP");
                 testRunner.setIsolatedWorldInfo(1, 'chrome-extension://123', "img-src 'self'");
                 testRunner.evaluateScriptInIsolatedWorld(1, String(eval("setImgSrc")) + "\nsetImgSrc(0);");
                 break;
             case 0:
                 testRunner.setIsolatedWorldInfo(1, null, null);
                 testRunner.notifyDone();
                 break;
         }
     }
 </script>
 </head>
 <body onload='setup();'>
     <p>
         <img id="testimg">
         This test ensures that img-src checks respect the isolated world CSP
         when the IsolatedWorldCSP feature is enabled and bypass the main world
         CSP checks otherwise.
     </p>
 </body>
 </html>
	<!DOCTYPE html>
	<html>
	<head>
	<meta http-equiv="Content-Security-Policy" content="img-src 'none'">
	<script>
	if (window.testRunner) {
	testRunner.dumpAsText();
	testRunner.waitUntilDone();
	}

	tests = 4;
	window.addEventListener("message", function(message) {
	tests -= 1;
	test();
	}, false);

	function setup() {
	// This is needed because isolated worlds are not reset between test
	// runs and a previous test's CSP may interfere with this test. See
	// https://crbug.com/415845.
	testRunner.setIsolatedWorldInfo(1, null, null);
	var img = document.getElementById('testimg');
	img.onload = function () {
	alert('LOADED');
	window.postMessage("next", "*");
	};
	img.onerror = function () {
	alert('BLOCKED');
	window.postMessage("next", "*");
	};
	test();
	}

	function test() {
	function setImgSrc(num) {
	var img = document.getElementById('testimg');
	img.src = "../resources/abe.png?" + num;
	}

	alert("Running test #" + tests + "\n");
	switch (tests) {
	case 4:
	alert("Test in main world.");
	setImgSrc(4);
	break;
	case 3:
	alert("Test in isolated world without a CSP.");
	testRunner.evaluateScriptInIsolatedWorld(1, String(eval("setImgSrc")) + "\nsetImgSrc(3);");
	break;
	case 2:
	alert("Test in isolated world with lax CSP");
	testRunner.setIsolatedWorldInfo(1, 'chrome-extension://123', 'img-src *');
	testRunner.evaluateScriptInIsolatedWorld(1, String(eval("setImgSrc")) + "\nsetImgSrc(2);");
	break;
	case 1:
	alert("Test in isolated world with restrictive CSP");
	testRunner.setIsolatedWorldInfo(1, 'chrome-extension://123', "img-src 'self'");
	testRunner.evaluateScriptInIsolatedWorld(1, String(eval("setImgSrc")) + "\nsetImgSrc(0);");
	break;
	case 0:
	testRunner.setIsolatedWorldInfo(1, null, null);
	testRunner.notifyDone();
	break;
	}
	}
	</script>
	</head>
	<body onload='setup();'>
	<p>
	<img id="testimg">
	This test ensures that img-src checks respect the isolated world CSP
	when the IsolatedWorldCSP feature is enabled and bypass the main world
	CSP checks otherwise.
	</p>
	</body>
	</html>